Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

← Back to Stories (view on slashdot.org)

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Posted by Soulskill on Friday January 18, 2013 @06:43AM from the it-just-goes-on-and-on-my-friends dept.

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

154 of 223 comments (clear)

Min score:

Reason:

Sort:

Enough Already by Anonymous Coward · 2013-01-18 06:48 · Score: 5, Insightful

Someone, please put Java in the browser out of our misery.
1. Re:Enough Already by arth1 · 2013-01-18 06:56 · Score: 2, Informative
  
  Someone, please put Java in the browser out of our misery.
  As a sysadmin, I say someone please put Java outside the browser out of my misery.
  "Oh, the system has 24 GB RAM, that means I, Java, can hog 18 GB by default, no problem!", followed by anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.
2. Re:Enough Already by CodeReign · 2013-01-18 07:09 · Score: 3, Informative
  
  That's not how java works. Java has a very small memory footprint by default. This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB
3. Re:Enough Already by Anonymous Coward · 2013-01-18 07:09 · Score: 1
  
  anguish from users who neither understands NUMA nor cgroups, and wonder why their java "creations" are killed by the system.
  What about the anguish from sysadmins who neither understands virtual memory nor how to interpret the results from top and free and makes their cgroup restrictions too strict?
4. Re:Enough Already by Anonymous Coward · 2013-01-18 07:14 · Score: 2, Interesting
  
  Someone, please put Java in the browser out of our misery.
  Said by someone that hasn't installed the latest update.
  Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
5. Re:Enough Already by Anonymous Coward · 2013-01-18 07:24 · Score: 3, Interesting
  
  Actually, it was said by someone who removed Java, along with Flash & Adobe Reader, from all my client's computers almost two years ago when the three of them were battling for the top spot of "Security Hole of the Year".
  Well, I uninstalled Adobe Reader and Flash many years ago and nothing of interest was lost.
  As for Java, I just disable the browser plugin and that's it. Desktop java applications (yes yes they do exist, for instance jdownloader) continue to work wonderfully.
6. Re:Enough Already by Above · 2013-01-18 07:33 · Score: 3, Informative
  
  I would love to banish Java from all of my machines never to see it again. Most of the uses for Java are well, useless to me, HOWEVER....
  There are a few things I do that require Java and even if I wanted to badger my vendors to do them in some other cross platform way I'm not sure how they could. The two I regularly use are access to IPMI cards and Cisco WebEx. Both do things that as far as I can tell can't simply be done in a browser with HTML5 and JavaScript.
  If someone had a good solution for those sorts of things I would dump Java in a heartbeat.
7. Re:Enough Already by datavirtue · 2013-01-18 07:46 · Score: 3, Funny
  
  Why, after all this it will be unbreakable. Look at Windows and how it has improved. Hold on, Windows Store, locked down application environment....uh.
  
  --
  I object to power without constructive purpose. --Spock
8. Re:Enough Already by Anonymous Coward · 2013-01-18 07:58 · Score: 4, Informative
  
  in defense of both sysad and java, there are developers which just tink that garbage collection is magic and create a memory problem where there is none
9. Re:Enough Already by Anonymous Coward · 2013-01-18 08:21 · Score: 3, Insightful
  
  From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.
10. Re:Enough Already by mrops · 2013-01-18 08:31 · Score: 1
  
  At this point there is no reason why HTML5 canvas can't do what WebEx is doing with Java. Java is great for server side development, it shouldn't be on any end user machines.
  Disclaimer: 10+ year Java developer, so I am biased in favor of Java for web/server development.
11. Re:Enough Already by robmv · 2013-01-18 08:36 · Score: 3, Insightful
  
  Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.
  Note: The Java plugin code was never open sourced to OpenJDK, people from IcedTea project developed a new plugin and JNLP engine for Linux. I am starting to think that Sun already knew the bad security quality of the plugin and they decided to never release that code
12. Re:Enough Already by kbg · 2013-01-18 08:52 · Score: 5, Insightful
  
  This is one of the very stupid things Java has. The user has to set memory limits for the application, either using to much memory or too little, and the memory used is based on the usage for the application so that it is always a possibility to run out of memory for a Java application even if you have enough memory on your machine. This is a major usability and design flaw in Java.
13. Re:Enough Already by moderators_are_w*nke · 2013-01-18 08:55 · Score: 2
  
  I've worked on Java processes that use that much RAM. On a server app, if you have it, why not use it (for caches etc.). Better than having it sit there depreciating.
  
  --
  "XML is like violence. If it doesn't solve your problem, use more." - Anonymous Coward
14. Re:Enough Already by Lisias · 2013-01-18 09:10 · Score: 2
  
  From a user-experience point of view, doing that work to enable Java to work properly for Minecraft is an abortion.
  Being this the main reason for what some (good) developers made the choice to write a tiny native launcher for their java programs.
  
  --
  Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
15. Re:Enough Already by hairyfeet · 2013-01-18 09:25 · Score: 3, Informative
  
  Well as I posted when the band aid patch that is now busted was put out it could take 2 years to fix the actual problem because the underlying code is "broken" and pretty much needs a full rewrite. We can't really blame Oracle for this as Java was a mess when Sun had it, Oracle merely got stuck with the mess when they bought out Sun.
  The thing I WILL blame Oracle for is the fact that if you update the damned software with the patch it RE-ENABLES the browser plug in unless you know to disable it, along with the usual crapware that comes with everything. Oh and I also blame the jerk that made Minecraft for bringing shitty Java back to the home users, for a good while there I had all but wiped Java out on home users systems, then that damned game came up and here we go again.
  Personally I think Homeland Security should order Oracle to put out a patch that disables the browser plug in and bar them from re-enabling it when they patch as those that actually NEED Java can find out how to turn on the plug in easy enough but those that don't won't know to disable it every. single. time. they have an update.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
16. Re:Enough Already by Anonymous Coward · 2013-01-18 09:36 · Score: 1
  
  Getting most Java software working seems to be a real effing hassle. Several open source packages seem to go out of their way to be especially hostile to Windows users, going so far as providing broken launchers. Hardcoded paths, unquoted paths, stupid assumptions, the wrong line terminators in batch files... bleh.
17. Re:Enough Already by hairyfeet · 2013-01-18 09:37 · Score: 2
  
  If Canvas sucks as bad as HTML V5 does at replacing Flash i can think of a reason, its a pig. You name which implementation you want and we'll compare it to Flash and no matter the size HTML V5 will suck MORE CPU, MORE RAM, and in many cases where Flash will play just fine HTML V5 will stutter like watching flash over dialup.
  So while I long for the day when the ONLY thing you'll need is a browser frankly HTML V5 just doesn't cut the mustard and isn't suitable for purpose yet. It sucks too many cycles, gives poor performance, doesn't do a third of what Flash does, and if St. Steve hadn't said it sucked (while the fanboys ignored the fact that Flash let devs bypass his golden calf appstore so he kinda had a conflict of interest) we honest;y wouldn't even be talking about HTML V5 video as a possible replacement for Flash, much less anything else. Its just not even alpha quality ATM, certainly not ready for the masses.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
18. Re:Enough Already by geekboybt · 2013-01-18 10:48 · Score: 1
  
  Webex's use of Java seems that it's only to launch the native client. I'm not sure why they go this route rather than using a URL handler (e.g. webex://[meetingnum]), but once it fires off the native client, it's no longer in use.
19. Re:Enough Already by arth1 · 2013-01-18 10:52 · Score: 2
  
  On a server app, if you have it, why not use it (for caches etc.)
  Why use it for caches for your app instead of letting the OS use it for caches for all apps?
  And just because the memory is there doesn't mean it's free for grabs. On servers with NUMA, you want to avoid using memory that's not on the CPU you use, or you pay a big performance penalty. The 16 GB you see might be 8 GB per CPU, and grabbing more than what's available in your CPU group might slow performance for you to (to say noth8ing about the system as a whole).
  Use the memory you need, don't just grab memory because it's "available".
20. Re:Enough Already by TopSpin · 2013-01-18 10:55 · Score: 3, Informative
  
  Java has a very small memory footprint by default.
  Erm. No. Just no.
  class Main { public static void main(String[] args) { while (true); } }
  (jdk 1.7.0.6 x86_64 linux)
  17M resident for that. 0.5G of virtual address space. The only other class referenced is java.lang.String.
  The equivalent Perl is 1.7M. Node.js is 9M. Python is 4M. TCL is 1.9M.
  EVERYTHING uses less RAM than bleeping Java. A lot less. And this isn't some fail test where Java gets better as applications scale. Go look over here and observe how almost every other language consumes less memory across a wide variety of algorithms. Anecdotal evidence from any app server admin will corroborate this.
  Java is a RAM pig and it always has been. The problem, at least regarding initial memory footprint (and start-up time), is excessive class loading. This is not opinion. There has been a project to correct it on the books for almost four years.
  Like everything else with Java, it has been neglected. Supposedly the results will appear in JDK 9..... sometime in 2015.
  And don't cite Android as some exception. Dalvik isn't JRE.
  
  --
  Lurking at the bottom of the gravity well, getting old
21. Re:Enough Already by Anonymous Coward · 2013-01-18 11:05 · Score: 1
  
  Appsof this type typically have the server to themselves and operating system caching is necessarily too general.
  Your points about numa are correct, but the wrong memory is still faster than a disk.
22. Re:Enough Already by kbg · 2013-01-18 12:26 · Score: 1
  
  I am not talking about server applications here they are set up by professionals, not end users. Yes I think having to set up specific memory for a VM is the wrong approach. You don't need to set memory parameters for native applications and they can use all the memory they want so why do I need to set one for VM?
23. Re:Enough Already by kbg · 2013-01-18 12:32 · Score: 2
  
  Why do I need to set the max limit? Why can't the program just use the memory it actually needs, I don't need to specify this crap for native programs. There are a lot of programs that you don't know before hand what is the memory usage. For example like compilers, file editors and any programs that work with multiple files and objects that are specified by the end user.
24. Re:Enough Already by gweihir · 2013-01-18 14:30 · Score: 3, Interesting
  
  Indeed. Java was intended for firmware in smaller embedded devices, like washing machines. It was never intended to be connected to a network. It was never intended for large software. It was never intended to go into the mainstream either. All security is patched on later (hint: that approach is sure to fail).
  Put that together with Oracle engineering quality (which sucks badly, I am surprised their database products ever made it to any prominence), and you have a fine disaster. What I do not get is that people think this technological lemon is any good.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
25. Re:Enough Already by ahabswhale · 2013-01-18 14:53 · Score: 1
  
  You usually don't because any competent software company writing Java software of this type will provide a launcher that takes care of this for you and you can remain blissfully unaware of it like any other software. Just because Minecraft is retarded, doesn't make Java retarded.
  
  --
  Are agnostics skeptical of unicorns too?
26. Re:Enough Already by ahabswhale · 2013-01-18 14:54 · Score: 2
  
  Good point because we all know that C++ is immune to security holes.
  
  --
  Are agnostics skeptical of unicorns too?
27. Re:Enough Already by zuperduperman · 2013-01-18 15:00 · Score: 2
  
  It's really sad how badly Sun screwed up Java. They basically had the world in the palm of their hand at one point - one of the only ways to run rich content in the browser, the only universally available cross platform runtime that the vast majority of people had installed. They tried to do all the right things - Java WebStart to easily run Java applications from a link, downloading all the necessary components on the fly. A simple, easy way to launch applications (just double click on the jar file!).
  But every single one of these "great" ideas had the most awful flawed execution, completely stupid, bone headed limitations that made you want to poke your own eyes out. This one you mention being an example. You can wrap your application up in a beautiful jar file and the user can double click it to run it. But there is no way for you to specify how much memory that application should get. And the default amount of memory is implementation dependent, so no way to predict what it will be. So they've solved all of your problems to avoid writing a native launcher and then left you still having to write one, just to pass one stupid fucking parameter to the JVM.
  This is just one tiny example, but I could list a dozen of these.
28. Re:Enough Already by TubeSteak · 2013-01-18 15:16 · Score: 1
  
  Already done, the previous u10 added options on the Java control panel (Windows) to disable all Java feature on the browser, so if you need Java for desktop applications, you don't need expose it to the browser.
  Thanks! I just did this.
  Control Panel --> Java --> Security --> uncheck the box at the top
  
  --
  [Fuck Beta]
  o0t!
29. Re:Enough Already by Anonymous Coward · 2013-01-18 15:23 · Score: 1
  
  Yes!
  Java is a ignorantly designed and poorly implimented.
  For example, Java code uses named varibles that the compiler maps to a stack and then to the virtual registers of the JVM which then have to mapped back to a stack and back out to the actual registers of the machine that runs it by the JIT. Every time. Each step is wasted RAM and chances for bugs. They are cargo cult programmers - duplicating hardware constraints in software.
  A key part of most total exploits is to corrupt return addresses on the stack. This is only possible because the x86 foolishly mixes the system's return addresses on the same stack as user data. It was understood decades ago that this was a bad but cheap design choice considered OK for stand alone systems. High end systems used seperate stacks even 40 years ago! Given a completely clean slate to design completely new virtual hardware what do the Java designers do? Badly copy the C/x86 system that was known to be broken decades ago and connect it to a global network designed to run unsigned 3rd party code on a regular basis.
  There are many other technical aspects that demonstrate Java and the JVM are fundamentally bad designs and should be dropped. Java never lived up to the portability claims. The JVM never lived up to the security claims. They've had decades and billions of dollars to fix this and it's still broken.
  Most people still look at the wrong benchmarks. In non-trivial multi-user environments the first resource you run out of is almost always RAM. Then the swapping to disk starts and it's orders of magnitude slower. 16 core CPUs wait and wait for the disk sub-system. Even SSDs are slow compared to the cheapest DRAM. The reason I bring this up is that Java and the JVM are RAM pigs and will cause your servers to page out to disk long before most other languages will. So don't be fooled by Oracle's trivial benchmarks that Java is 'almost as fast as C' - with a large number of users Java loses to COBOL in the real world. Statistically, Java also has more bugs and takes longer to develop.
30. Re:Enough Already by ahabswhale · 2013-01-18 18:38 · Score: 1
  
  Wow, you're so fucking smart and knowledgeable that I'm too intimidated to respond. lol
  How much client-side C++ is out there, you fucking moron? Argument over, you lose.
  
  --
  Are agnostics skeptical of unicorns too?
31. Re:Enough Already by Anonymous Coward · 2013-01-19 04:41 · Score: 1
  
  This is why running minecraft requires you to run java -Xmx6G minecraft_server.jar so you can use upto 6GB
  That's not what -Xmx does.
  The -Xms option sets the initial and minimum Java heap size. The -Xmx option sets the maximum heap size. In some cases setting the maximum heap size can be helpful, but it can also be detrimental. It depends more on the particulars of the specific JVM you're using and what all you're doing.
  For example, if you only have 8gigs of physical RAM available and are trying to run two server applications, setting it to 6Gigs is often going to cause you problems because the OS will have to use 4Gigs of slow swap/cache space right off the bat to satisfy your demands. You'd be better off setting each to 4Gigs, but even then only in cases where the JVM is for some reason defaulting to a maximum value. If you're using a 64bit JVM implementation you often don't have to set the Heap size manually at all. In any case, fiddling with the min/max heap sizes is something of an Art which varies vastly by environment and application behavior.
  There really is not any "right" or "wrong" way to set the Heap size- the best thing to do is profile your server application with various settings under normal production loads to see what actually performs best. Sometimes if you set too much heap size, you can run into problems (especially with Minecraft) because it waits SO long to run garbage collection that when it does collect you get massive latency spikes. You can also approach such problems from a different angle- the less loading/unloading the application does, the less the heap gets full of trash. So it can sometimes be better to let Minecraft run with a smaller Heap size and use the extra RAM to load up map files onto a RAM disk.
32. Re:Enough Already by Anonymous Coward · 2013-01-19 07:14 · Score: 1
  
  Because Microsoft and Sun (and Oracle) are competitors and Microsoft is not going to build Sun's garbage collector into Microsoft's OS Kernel - which you would do if you wanted to do it right.
33. Re:Enough Already by Lisias · 2013-01-19 10:50 · Score: 1
  
  That's a point. However...
  Who in his sane mind would like to download a random JAR from the Internet and give it total control about your computer?
  I agree that a more user friendly mechanism to give the VM the JAR's needed resources could be a good idea, but I really don't get this as one of the major Java's flaws. On Linux, that native launcher can be just a fscking bash script, by God's sake!
  If you think that this is an unacceptable friction as a developer, feel free to try build a multiplatform application using .NET, C++ , Python or Perl. :-)
  (hint: even Python has some serious idiosyncratic friction on the operating system: give the os.stat a peek for a example).
  And no one bought the idea of the "Java/OS", anyway.
  
  --
  Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
34. Re:Enough Already by kbg · 2013-01-19 12:24 · Score: 1
  
  But why should I have to care if it is a virtual machine or a real program, the program should just work.
35. Re:Enough Already by kbg · 2013-01-19 12:25 · Score: 1
  
  No you just do it right, you don't need the kernel to do correct memory allocations behavior.
The same old story by Synerg1y · 2013-01-18 06:51 · Score: 1, Insightful

Java's had issues with reflection before: http://stackoverflow.com/questions/3002904/what-is-the-security-risk-of-object-reflection .

Considering that reflection is basically injecting code at runtime, I'd say most things in the Java world don't need it, not sure if it's on or off by default, but in 99% of scenarios I believe it should be set to off.
1. Re:The same old story by K.+S.+Kyosuke · 2013-01-18 07:01 · Score: 4, Interesting
  
  Considering that reflection is basically injecting code at runtime
  That's pretty narrow, isn't it? Reflection is reification of program's state (and possibly code, which should be a subset of it) in form of (possibly mutable) metaobjects. The interface doesn't necessarily have to allow the program to do things that are inherently unsafe (although some applications need to do precisely that, e.g., Smalltalk IDEs when creating or modifying classes and methods). If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such. It's not like this is Java's only design flaw anyway. :-)
  
  --
  Ezekiel 23:20
2. Re:The same old story by Synerg1y · 2013-01-18 07:15 · Score: 1
  
  Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook. Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.
  
  Potential Reflection scenarios: http://stackoverflow.com/questions/2488531/what-is-the-use-of-reflection-in-java-c-etc
3. Re:The same old story by Anonymous Coward · 2013-01-18 07:24 · Score: 3, Insightful
  
  Sorry to say: if you haven't seen reflection used in C# you must not have been looking very hard...
4. Re:The same old story by sjames · 2013-01-18 07:24 · Score: 4, Informative
  
  Reflection is extremely useful given a language that considers it a first class feature rather than a bolt-on. Duck typing, for example,is a specific application of reflection. In turn, duck typing can actually fulfill the promise of reusable code that OOP promises but rarely delivers.
5. Re:The same old story by Bob9113 · 2013-01-18 07:28 · Score: 5, Insightful
  
  If Java's reflection features violate Java platform's security, it's an API design flaw, not necessarily a problem with reflection as such.
  Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C. Any permission that the executing user has, the language has. That is as designed.
  The Java browser plugin, on the other hand, has a sandbox which is supposed to make it safe to run untrusted code. Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code. The security hole is in the Java sandbox, and in the notion of executing untrusted code in a language that has system access, not in the Java language.
  
  --
  Stop-Prism.org: Opt Out of Surveillance
6. Re:The same old story by barjam · 2013-01-18 07:28 · Score: 2
  
  Reflection in C# is used all the time. If you have written anything more complicated than hello world you have definitely used it. Not directly but the APIs you call use it.
7. Re:The same old story by AuMatar · 2013-01-18 07:28 · Score: 3, Informative
  
  Its major use is to avoid busy work for the programmer. An example is ORM where the program can analyze what fields a class has and figure out what data types those fields are and build sql querries from it. Another example is xml/json parsing, where you can pass in a json string and a class definition and have it match all of the fields in the json to members in the class. You can spend 15 minutes writing annoying boilerplate code or 15 seconds making 1 method call.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
8. Re:The same old story by K.+S.+Kyosuke · 2013-01-18 07:29 · Score: 1
  
  Yea, and why not apply reflection's methods against the platform itself? "Reflect", reverse, and modify the framework appropriately to gain a hook.
  If that's possible and not intended, you have a bug in your platform.
  
  Java isn't the only language to use reflection, c# has it, but I don't think I've ever seen it used, which may be a testament to it's usefulness more than it's security.
  Yes, in a decade, perhaps, these two platforms will reach the reflective maturity of Self-93 and its successors. Until then, they're half-botched.
  
  --
  Ezekiel 23:20
9. Re:The same old story by petermgreen · 2013-01-18 07:46 · Score: 1
  
  AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
10. Re:The same old story by cusco · 2013-01-18 07:53 · Score: 1
  
  OK, I'm not a programmer and never will be but the phrase 'duck typing' is so off-the-wall that I just have to ask what the hell it means.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
11. Re:The same old story by Cinder6 · 2013-01-18 08:09 · Score: 1
  
  You know, mallard, stifftail, goldeneye...
  Okay, fine, it's a type of dynamic typing: http://en.wikipedia.org/wiki/Duck_typing
  
  --
  If you can't convince them, convict them.
12. Re:The same old story by w_dragon · 2013-01-18 08:11 · Score: 1
  
  Wikipedia's article is pretty good
13. Re:The same old story by K.+S.+Kyosuke · 2013-01-18 08:16 · Score: 1
  
  and in the notion of executing untrusted code in a language that has system access
  Actually, that notion is perfectly fine. In a proper object-based runtime, the untrusted code should only get those references ("capabilities", from security POV) that it's supposed to have access to in order to accomplish its tasks, and nothing more. It can't get anywhere else in any other way then by pointer chasing or querying the provided objects/capabilities and invoking their methods, using the API it's been given access to. Basically, it's the same principle that MS is trying to employ in the development of Singularity-like systems. The notion is perfectly fine, that is, when the API isn't botched.
  
  --
  Ezekiel 23:20
14. Re:The same old story by HFXPro · 2013-01-18 08:33 · Score: 1
  
  When I see a bird that walks like a duck and swims like a duck and quacks like a duck, I call that bird a duck. http://en.wikipedia.org/wiki/Duck_typing
  
  --
  Reserved Word.
15. Re:The same old story by Sique · 2013-01-18 08:39 · Score: 1
  
  So this is something we were using in LPC 20 years ago without knowing it had to have a special name. We just said, we were calling the method in the object - all objects being from the same type object anyway.
  
  --
  .sig: Sique *sigh*
16. Re:The same old story by Knackered · 2013-01-18 08:40 · Score: 1
  
  OK, I'm not a programmer and never will be but the phrase 'duck typing' is so off-the-wall that I just have to ask what the hell it means.
  If it looks like a duck, walks like a duck, quacks like a duck, then for all purposes it's a duck.
  In my understanding, duck typing doesn't require the explicit declaration of "is-a" relationships in a class system. If a type (or object, depending on the language) fulfills sufficient requirements, it can be considered as a sub-class or object of another type. Depending on the language, the requirements may be expressed by interfaces, prototypes, pattern matching or some other means.
  
  --
  a.
17. Re:The same old story by sjames · 2013-01-18 08:56 · Score: 2
  
  In the first generation of OOP, the focus was on the 'type' of an object, often involving an 'isa' method. For example, A.isa(file) might return true. The problem is that it is far too easy to get a case where something very file like isa(MyVerySpecialFileThing) but returns false for isa(file) because it has no truncate method (even though we don't want or need to truncate).
  Duck typing is the idea that the type of an object and where it inherits from is largely irrelevant. We don't care if A isa file, we care if A has a method called read that returns data. We might further care if it can close(), or seek().
  In other words, if it swims like a duck, and quacks like a duck, and walks like a duck, it's a duck as far as we care.
  See also Wikipedia. To see the difference between 1st class vs. bolt-on, compare the Python and Java examples.
18. Re:The same old story by DarkOx · 2013-01-18 09:01 · Score: 1
  
  It comes from the phrase "if it walks like a duck, quacks like a duck than its a duck!"
  It differs from the idea of strong typing where the interpreter and compiler will require the object be exactly the declared type or perhaps something inherited from that type.
  Automobiles might all have functions: start, stop, accelerate, break, hold, left, right; and properties speed, started.
  Car may or may not be inherited from automobile, and it might have more properties and functions, such as LeftTurnSignal. A loosely typed language will allow you to pass a car to a function expecting an automobile. The program might use duck typing to check that is has those properties and functions automobiles are supposed to have. If they do he will proceed to treat it like an automobile, assuming it is so and the program should work fine. If its missing one of those methods he will raise an error. This adds flexibility ( and usually bugs).
  The key thing being that he/she must actually write the code to check the existence of the properties and functions, and raise the error. A language that uses strong typing would do it automatically, but cars would need to be automobiles.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
19. Re:The same old story by K.+S.+Kyosuke · 2013-01-18 09:05 · Score: 3, Informative
  
  I would omit the "sub-class" part of your post. This is about substitutability, and that is all about subtyping, whereas subclassing is about representation and implementaiton. You can have a subclass that is not a subtype (per LSP, at least, although most OO languages like to pretend in their type systems that subclasses are always subtypes), and a subtype that is not a subclass (which is typical with interfaces).
  
  --
  Ezekiel 23:20
20. Re:The same old story by Bob9113 · 2013-01-18 09:11 · Score: 1
  
  AIUI while the browser plugin is by far the most common use of the sandboxing and hence the most common way to exploit flaws in the sandboxing the sandboxing itself is a core feature of the java platform.
  You are calling this a core feature because it was part of the central design more than a decade ago when Java was intended to be used in the browser. The overwhelming majority of Java that is live today does not use the sandbox. The sandbox is no more a core feature of Java than your appendix is a core feature of your digestive system.
  
  --
  Stop-Prism.org: Opt Out of Surveillance
21. Re:The same old story by cusco · 2013-01-18 09:22 · Score: 1
  
  Ah, so you're checking the type of an object, not keying something in. The only thing that came to mind when I first read it was 'cat typing', aka 'kitty keyboarding', an entirely different activity. Thanks.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
22. Re:The same old story by ADRA · 2013-01-18 10:14 · Score: 1
  
  Well, you're partly right. Sandboxing is always running on all JVM instances, and can be quite handy when dealing with dividing multiple aspects of a running system (like deploying different versions of a given software library across different deployments on the same server instance).
  Now I haven't looked into this one yet, and I'm not sure if they found flaws in the plugin shared objects, or in the platform's handling of its platform sandbox.. If it was the platform sandbox, then that's a lot worse imho.
  
  --
  Bye!
23. Re:The same old story by Randle_Revar · 2013-01-18 10:47 · Score: 1
  
  Agreed. When my brother was a C# dev (including when he worked at MS on Codeplex) he talked about using reflection a lot.
  
  --
  Climate Progress - Hell and High Water
24. Re:The same old story by Randle_Revar · 2013-01-18 10:52 · Score: 1
  
  But "duck" is not monophyletic! Is it Anatinae, Aythyinae, Merginae, Oxyurinae, or something else?
  
  --
  Climate Progress - Hell and High Water
25. Re:The same old story by sjames · 2013-01-18 11:18 · Score: 1
  
  Now take that compiled code and hand it BrandNewDuckLikeObject you defined yesterday and see what happens. That's exactly the sort of reuse failure duck typing avoids.
  Bonus points if it then hands that object back out and it can be recognized as a BrandNewDuckLikeObject again without a dangerous typecast that will fail if performed on a NotSoNewQuackingThing.
26. Re:The same old story by stenvar · 2013-01-18 17:23 · Score: 1
  
  Java is a progamming language, like C. It has access to the filesystem and can fork processes. Security is handled by the operating system, just like C.
  That's false. Java claims to provide sandboxing, runtime safety, and fault isolation, something C never provided. In different words, security can be handled by the OS, but it can also be handled by the language and runtime. Providing it in the language and runtime has lots of potential advantages. Java tried to provide support in the language and runtime, but failed. Other languages and runtimes have succeeded at accomplishing what Java failed to do with sandboxing, runtime safety, and fault isolation, so it's certainly possible to do in principle.
27. Re:The same old story by Anonymous Coward · 2013-01-18 18:29 · Score: 1
  
  Or be freaking incompetent. Reflection is the only way to implement many cross cutting concerns in a generic way.
  A few examples: ORMs, Databinding, (Unit) testing frameworks, Data serialization, Policy injection, it's even used for on screen formatting in ASP.NET MVC framework.
28. Re:The same old story by gbjbaanb · 2013-01-19 10:04 · Score: 1
  
  its a poor way of achieving what a compiler should do for you - from the class definition, it should be able to generate the boilerplate so that you can pass in the json and have it nicely accessible, you don't need reflection to do that and the results are considerably more performant.
  Nearly all uses of reflection should be replaced with some up-front thought for a different way of approaching the problem.
29. Re:The same old story by AuMatar · 2013-01-19 13:04 · Score: 1
  
  No, that kind of stuff is WAY, WAY outside the scope of a compiler. Why the hell would a compiler even know JSON exists? You can argue its the job of a preprocessor or code generation utility run as part of your build process and you'd have a point. The advantage of using reflection is that all your code is in your source code and checked it- with preprocessing tools or code generation you're generating code at compile time which breaks a lot of tools and makes debugging errors much more difficult.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
30. Re:The same old story by bcrowell · 2013-01-19 13:59 · Score: 1
  
  Turns out that trying to make it safe to run untrusted Java code is just as difficult as trying to make it safe to run untrusted C code.
  Total nonsense. This is like saying that people get electrocuted by their toasters, and people get electrocuted repairing downed power lines, so toasters are just as dangerous as downed power lines. Toasters are safe by design. So is the java applet sandbox.
  
  --
  Find free books.
31. Re:The same old story by gbjbaanb · 2013-01-20 02:25 · Score: 1
  
  you're looking at it wrong - the compiler knows your code exists, what its structure is, and its that that matters - that you can create objects and populate them with data sourced from the JSON data stream is exactly what you should be doing.
  Using reflection to take a data source and turn it into code is just the security problem that has already happened.
  Also I found that generated code made debugging much easier - you can see the code that has been generated, step through it in the debugger. Runtime code creation is quite the opposite, mostly blackboxes of looping reflection and recursive functions.
32. Re:The same old story by AuMatar · 2013-01-20 15:26 · Score: 1
  
  Why the hell should a compiler know what JSON is? A compilers job is to turn code into machine or bytecode. Giving it more intelligence is a mistake. Generate the code maybe, but not as part of the compiler.
  I'm going to disagree on easier to debug, because its impossible to step through the process of generation, which tends to be where the mistake is. It also means not all of your code is in source control, because the compiler itself becomes part of your code. I dislike the efficiency of runtime generation, but its more transparent because the generation code is part of your source.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
Just let it die already by Billly+Gates · 2013-01-18 06:52 · Score: 1

Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE.
Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.

--
http://saveie6.com/
1. Re:Just let it die already by Antipater · 2013-01-18 07:08 · Score: 5, Funny
  
  To be fair, coding your way out of a paper bag sounds pretty difficult.
  Unless you have a robot with poking capabilities inside the bag with you, of course.
  
  --
  Everything is better with chainsaws.
2. Re:Just let it die already by arth1 · 2013-01-18 07:08 · Score: 2
  
  Of your corp must need ot then downgrade to Java6 which is not effected by the latest exploits and disable it in your browser except for whitelisted sites in your intranet zone in IE .
  Run that by me, again?
3. Re:Just let it die already by CodeReign · 2013-01-18 07:11 · Score: 1
  
  He said if you are running peoplesoft allow Java to run only on your peopleosoft site. Was that so hard to understand?
4. Re:Just let it die already by The+Moof · 2013-01-18 07:25 · Score: 3, Informative
  
  It's the screwy way Windows does network trust. The "Internet Options" from the control panel is actually IE's preferences. This is also the place you set up trusted zones, allowing network applications or applications downloaded from external sources to run on the OS.
  
  Like I said, it's screwy.
5. Re:Just let it die already by Billly+Gates · 2013-01-18 07:29 · Score: 1
  
  Old IE may suck for rendering websites properly compared to new IE, but what it does do right is come with corporate oriented tools including this, called security zones.
  Just go under Internet Options in control panel and disable java in the internet zone and set it up in the intranet zone. Fairly easy stuff. You can push this through Acitive Directory as well if you are at work to protect your users.
  I assume no one but a few minecraft users use it at home so uninstall it. Chrome and FIrefox should have it disabled by default.
  
  --
  http://saveie6.com/
6. Re:Just let it die already by icebike · 2013-01-18 07:35 · Score: 4, Interesting
  
  Oracle appearently cant code their way out of a paperbag but Sun wrote Java 6. Not to say that release is secure but at least less flaky and doesnt have the same flaw as 7.
  I think it is starting to look suspiciously like there is some unfair dealing going on in the "security researcher" world.
  The fix was released last Sunday and two new security flaw turn up today which, according to the summary and TFA "are apparently not related to the previous security issues."
  First, that is very short period of time to find these new flaws, and write a proof of concept.
  Were these flaws in the prior release, or introduced by the Sunday release?
  Did these guys have them in hand prior to the work on sunday's release and hold them back?
  Were they using "research" methods that they refused to share? Fuzzers, code inspection?
  If the researchers didn't find these new flaws until after sunday, why not?
  Just sayin....
  
  --
  Sig Battery depleted. Reverting to safe mode.
7. Re:Just let it die already by Billly+Gates · 2013-01-18 07:39 · Score: 1
  
  I was under the impression it utilized the same exploit from what I read. It just used the same attack vector utilizing a different method that the fix doesn't mitigate.
  
  --
  http://saveie6.com/
8. Re:Just let it die already by icebike · 2013-01-18 07:40 · Score: 1
  
  Why Yes, Yes it was.
  One wonders to what extent we should take advice from a guy who can't form a conversant sentence.
  
  --
  Sig Battery depleted. Reverting to safe mode.
9. Re:Just let it die already by Em+Adespoton · 2013-01-18 08:40 · Score: 1
  
  To be fair, coding your way out of a paper bag sounds pretty difficult.
  Unless you have a robot with poking capabilities inside the bag with you, of course.
  You just have to press hard when writing the 1's. After enough iterations, you'll be out.
10. Re:Just let it die already by Tarlus · 2013-01-22 06:21 · Score: 1
  
  Yeah, that was intentional. Apparently the mods didn't get it either. =)
  
  --
  /* No Comment */
Dalvik virtual machine by perpenso · 2013-01-18 06:52 · Score: 1

Is Google's Dalvik virtual machine available for PC or just Android? Perhaps a little competition is needed.
1. Re:Dalvik virtual machine by sjames · 2013-01-18 07:45 · Score: 1
  
  The rooting hacks I've seen don't seem to attack the VM. They generally either rely on linked in C libraries where the exploit is actually implemented or they are attacks on the bootloader to get it to load something in kernel mode to set flags in hardware.
  The more difficult case is the ones that attack the kernel through permitted system calls.
  Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side roll back when the applet exits.
2. Re:Dalvik virtual machine by Em+Adespoton · 2013-01-18 08:43 · Score: 1
  
  Ultimately, the answer will probably involve a mini guest OS isolated by something like KVM where each applet gets it's own VM and any changes on the client side roll back when the applet exits.
  Well, this would at least have the effect of hardening KVM over time as flaws were found allowing similar attacks via message passing routines. That wouldn't necessarily be a bad thing, although it would make life more painful for those of us who already use KVM in relative obscurity.
I just have to say... by cyberjock1980 · 2013-01-18 07:00 · Score: 2

Whoops!
I wonder how many of these vulnerabilities will be found and identified before the top brass at Oracle starts questioning the logic in buying Sun. Could Oracle realistically just come out and say "you know what.. we're done with Java"? Is Oracle really this inept at making stuff secure?
I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature. Not to mention you aren't going to sell your product by saying 'We fixed XYZ vulnerabilities in the last 2 years". Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.
When the last topic about these vulnerabilites was posted I mentioned how I don't trust companies with my security any more than I have to and mentioned that my firewall is now pfsense since Linksys, Netgear, and Dlink don't seem to be interested in security without buying a new router every 2 years. Naturally I got modded down. Let's see how this goes this time...
1. Re:I just have to say... by c · 2013-01-18 07:14 · Score: 2
  
  Is Oracle really this inept at making stuff secure?
  Ask David Litchfield. You might also want to read up on their Unbreakable campaign a few years prior to purchasing Sun.
  
  --
  Log in or piss off.
2. Re:I just have to say... by lecithin · 2013-01-18 07:14 · Score: 1
  
  "Is Oracle really this inept at making stuff secure?"
  Aside from their database, Oracle is inept at pretty much everything.
  
  --
  It could be worse, it could be Monday.
3. Re:I just have to say... by Scutter · 2013-01-18 07:16 · Score: 1
  
  Anytime a company name is used in the same sentence with "new vulnerabilities discovered" is also not good for said company.
  True, but it's amazingly easy to deal with that by adding the phrase "But they have a history of fixing vulnerabilities quickly whenever they are discovered." Unfortunately, Oracle can't seem to do this.
  
  --
  
  "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
4. Re:I just have to say... by Anonymous Coward · 2013-01-18 07:19 · Score: 1, Insightful
  
  Oracle is inept at pretty much everything.
  FTFY
5. Re:I just have to say... by organgtool · 2013-01-18 08:22 · Score: 2
  
  I mean, fixing security vulnerabilities is never good for business.. at all. You spend money fixing something that doesn't affect you directly but definitely affects your customers(which indirectly affects you). It's developer time that could have been spent on the next version's new shiny feature.
  
  Have you used Java lately? It hasn't had any killer new features in quite a long time and that stagnation has been there for a period even before Oracle bought Sun. That stagnation looks even worse when you compare it to .Net languages like C# which have surpassed most of Java's language features and is now ahead. And before everyone jumps down my throat for advocating a Microsoft technology, I use absolutely none of their technologies for software development. I'm just objective enough to recognize that they're putting a lot of effort into creating new features for their languages and as a Java developer, I have to say that I'm a bit jealous (but not jealous enough to switch to Microsoft's single-platform development environment).
6. Re:I just have to say... by gweihir · 2013-01-18 14:38 · Score: 2
  
  "Is Oracle really this inept at making stuff secure?"
  Aside from their database, Oracle is inept at pretty much everything.
  From what I have seen of their databases, security sucks there too (for example, no way to securely store certificates for communication or storage encryption), and you basically have to physically and logically protect Oracle database boxes by non-Oracle means.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Interesting by jones_supa · 2013-01-18 07:01 · Score: 4, Interesting

I still find it odd how Java suddenly caught all the attention regarding security.
1. Re:Interesting by Bill_the_Engineer · 2013-01-18 07:04 · Score: 1
  
  Smear campaign. I always wondered why a "mega" exploit package was reportedly offered up for sell yet only the Java exploit contained in the package was the one getting the media attention.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
2. Re:Interesting by dalias · 2013-01-18 07:19 · Score: 5, Insightful
  
  Yes, in some ways I agree it is a "smear campaign", but I don't think it's an unjustified one. When a product has had vulns this serious this many times, yet maintains huge deployment due to market dominance and user lock-in, a huge smear campaign is needed to destroy it. This was the case in the past with products like BIND, Sendmail, WU-FTPD, IIS, IE, etc. and Java is just the latest necessary target.
3. Re:Interesting by DMUTPeregrine · 2013-01-18 07:30 · Score: 2
  
  Windows got better, and fixed most of the easy exploits. Flash got a bit better, and fixed most of the easy exploits. Java and Acrobat Reader are still easy to find exploits in.We'll see what comes next.
  
  --
  Not a sentence!
4. Re:Interesting by Bill_the_Engineer · 2013-01-18 07:36 · Score: 1
  
  I didn't say it was unjustified just unfair. In fact, depending how Oracle responds, it may actually make Java more secure than other options/languages.
  What I am suspicious of is the lack of coverage for the other exploits. Which unfairly diminishes Java's image while elevating the status of similar products that may have the similar vulnerabilities.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
5. Re:Interesting by Bob9113 · 2013-01-18 07:36 · Score: 2
  
  I still find it odd how Java suddenly caught all the attention regarding security.
  I think this is largely due to the bad reporting. Ignorant reporters keep referring to this as a Java exploit. It is not. It is a Java sandbox exploit. A Java exploit of this nature would be catastrophic, since there are millions of servers out there running Java. A Java sandbox exploit, on the other hand, is little more than a reminder: Hey, everybody: Disable the Java plugin in your browser, like everyone else did ten years ago.
  
  --
  Stop-Prism.org: Opt Out of Surveillance
6. Re:Interesting by Nimey · 2013-01-18 07:53 · Score: 1
  
  Acrobat Reader got a lot better with version 10's secure mode. I don't remember reading of any exploits that were able to get past that.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
7. Re:Interesting by w_dragon · 2013-01-18 08:14 · Score: 1
  
  This is about Java in the browser. The main competitors in this space are Flash and (if you're in an outdated, IE-loving enterprise) ActiveX. Do you really have that high an opinion of Flash?
8. Re:Interesting by sjames · 2013-01-18 08:29 · Score: 1
  
  It started with a serious security flaw that the vendor (Oracle) tried hard to ignore. The publicity was turned up to shame them into fixing the flaw with an out-of-cycle patch. The vendor half-assed the patch and so the cycle of 'all clear' press was interrupted for a new round of drubbing. Then an attempt was made to re-habillitate Java's image and so now we're at the 'not so fast' rebuttal.
  Meanwhile, it never really lived up to most of it's promises anyway (especially as a browser plug-in) and so it naturally leads people to wonder if it's time to stick a fork in it.
  That Java is Oracle's second big software acquisition from Sun that seems to be flaming out under the new management and that Oracle is not really well liked as an entity anyway just adds to the dogpile.
9. Re:Interesting by ashpool7 · 2013-01-18 08:45 · Score: 1
  
  This list almost makes sense, except IIS isn't going away because of .NET and BIND hasn't been significantly reduced either. Java in the browser might go away, but that seems about it.
10. Re:Interesting by gtall · 2013-01-18 10:24 · Score: 1
  
  Oracle Forms relies on Java in the browser. It isn't going anywhere because they use OForms as a front end to their database. Maybe if we asked really nicely, they'd rewrite OForms in something else. I've been asking them for years to put Uncle Larry out to pasture but they don't seem to listen.
11. Re:Interesting by DMUTPeregrine · 2013-01-18 13:56 · Score: 1
  
  I vaguely recall at least one, but it has helped. I still prefer Foxit, Sumatra, or Okular due to speed anyway.
  
  --
  Not a sentence!
12. Re:Interesting by ahabswhale · 2013-01-18 15:02 · Score: 1
  
  It's a fair question. Java applets are similar to ActiveX plugins in that they have web apps access to system resources they would ordinarily not ever have access to but I don't hear anyone whining about ActiveX (which can do some seriously evil shit).
  
  --
  Are agnostics skeptical of unicorns too?
13. Re:Interesting by dalias · 2013-01-18 15:48 · Score: 1
  
  Absolute usage, or relative? Their market dominance has surely eroded, and people who know what they're doing aren't using the old clunkers anymore.
Re:blaaaaaaaaaa by arth1 · 2013-01-18 07:03 · Score: 1

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.
No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.
Bad stewardship of Java by benjfowler · 2013-01-18 07:10 · Score: 4, Insightful

Oracle need to be called out on what appears to be an open-and-shut case of negligence.
Only a complete idiot would take on Java and it's 600 million users without making some kind of plan for supporting it. Their approach so far has been unbelievably reckless.
I certainly hope they don't take that attitude to Oracle Database, which is very expensive indeed, and running inside companies with lots of well paid lawyers.
1. Re:Bad stewardship of Java by sdnoob · 2013-01-18 07:35 · Score: 2
  
  Perhaps the best course of action would be for Oracle to donate Java to Apache Foundation... but then, the question to ask is: would they even want it?
2. Re:Bad stewardship of Java by Tridus · 2013-01-18 07:43 · Score: 1
  
  Oracle has a lot of stuff that uses Java, so I doubt their plan was "totally screw Java up so we can ditch it."
  Clearly they need to devote serious expertise to hardening it though, or just take the easy route and kill Java in the browser entirely. That's where these problems are all coming from. It wouldn't even be that hard for them, since it's basically a dying method of doing things in the browser anyway.
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
3. Re:Bad stewardship of Java by medv4380 · 2013-01-18 07:56 · Score: 1
  
  Apache would probably kill to have full control over Java.
Re:blaaaaaaaaaa by Anonymous Coward · 2013-01-18 07:10 · Score: 1

who cares? java does not belong in the browser, javascript does not belong on the server. end of story.
No, you're missing a few chapters to your story:
Chapter 1: Javascript does not belong in the browser when fetched from untrusted sources.
Chapter 2: Java does not belong in the browser.
Chapter 3: Javascript does not belong on the server.
Chapter 4: Java does not belong on servers also used for non-java.
Chapter 5: Javascript does not belong in the browser, either.
Chapter 6: Images do not belong in the browser.
Chapter 7: The only thing that belongs in the browser is ASCII text. None of this Unicode crap.
Chapter 8: And ONLY if that text has been sanitized to hell and back.
Chapter 9: Waaaaaaah, why don't we just use Gopher like we used to? The world made so much sense back then, and that was good enough for us!
Chapter 10: Screw you guys, I'm just going to pass floppy disks among my Media Lab friends at MIT like in the old days.
Chapter 11: 1.44MB is enough for anything.
Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!
Dear Lary Ellison by Anonymous Coward · 2013-01-18 07:11 · Score: 1

Since your programmers can't seem to code their way out of a wet paper bag, perhaps you should spend less time on your yacht and more time actually running your company.
Sincerely, everyone who's time you waste with shit software.
Enough already by mark-t · 2013-01-18 07:12 · Score: 3, Funny

While admittedly this could reasonably qualify as news for nerds, the exploits that are being discovered in Java these days are happening with such rapidity now that it truly seems like a complete waste of time and effort to report them all individually. They are so frequent now as to border on spam.

--
File under 'M' for 'Manic ranting'
Re:blaaaaaaaaaa by CodeReign · 2013-01-18 07:13 · Score: 1

Can you paste chapter 4 for me. I'm somewhat curious what you mean, is there privilege escalation that can occur or what's going on in that chapter?
Why is this so difficult? by istartedi · 2013-01-18 07:14 · Score: 1

I'm not familiar with the architecture, so I have a hard time understanding why this is so difficult. Many C programmers including myself have written simple stack machines that have an "instruction set". It's trivial to separate safe instructions from dangerous ones
One instruction might be 32-bit unsigned addition that rolls over without throwing an exception. Perfectly safe, as long as you can live with the results.
Another instruction might be "open file". Lots of opportunity for mischief there.
So. If the code came from the 'net, you just scan the code after you've compiled it onto your VM and reject anything that has "open file" unless the user has granted permission for the software to access files.
Sure, I'm glossing over the details; but that's the basic idea. If you have a huge library, you might have to have staff review a lot of API calls to make sure you're classifying them properly as safe or dangerous; but the fundamental idea of the sandbox itself seems really, Really, REALLY hard to mess up.
It sounds like they have calls to a "cause the scanner to ignore dangerous functions" API scattered throughout their code, which seems highly unlikely. Library code shouldn't even know it's running after a scan, let alone have the ability to shut off the thing that scans it.
So. I have to conclude that the sandbox architecture is something more complicated than "compile, scan for restricted system calls, run if none found"; but I have no idea what it is. Can anybody enlighten me?

--
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
1. Re:Why is this so difficult? by Billly+Gates · 2013-01-18 07:35 · Score: 1
  
  THe flaw is in the reflections. Since metadata changes unmutable things like strings you can have safety but this hack goes around it and manipulates it. Get rid of that feature?
  THen you break applications and mission critical business apps. Of course from what I see they all use older versions of the language where this feature is not used but neverless it is the joys of supporting a large complex thing where the users have a psychotic episode if anything changes and want it frozen yet demand to get security patches.
  This is the reason many programs will not run on Windows 7 as MS had to make it secure starting with Vista. Corporate users just kept using XP and ignoring all the security issues.
  
  --
  http://saveie6.com/
2. Re:Why is this so difficult? by Tridus · 2013-01-18 07:46 · Score: 1
  
  I'd surmise (since I'm nothing resembling a sandbox expert) that one of the problems is that the sandbox is built to allow a lot of those "dangerous" activities if the applet is signed and asks for permission to do them. It's not a total block.
  When the code to do it is in there somewhere, apparently there's a lot of edge cases to find ways to get to it.
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
3. Re:Why is this so difficult? by istartedi · 2013-01-18 09:15 · Score: 1
  
  THe flaw is in the reflections.
  OK I had to review that.
  LOL. When I was taking 100-level CS courses to get my EE and thought I was all cool because I had several years hacking with things like the C-64, I wrote some self-modifying assembly and turned it in as part of an assignment. The TA marked off for it as "too clever for its own good" or something along those lines. I was miffed at first, but saw the point after a while. I guess some people didn't.
  That said, if there's something that uses "eval" like functionality, such as a graphing calculator app then that's useful. It's not arbitrary modification of the existing code so much as it is writing new code. The loader could scan for calls to "eval", and replace them with calls to "safe_eval" which would include the scanning function.
  I don't see why that couldn't work for adding functions to a class at runtime, which is something the wiki article on reflections considers as part of the definition.
  At any rate, since you're narrowing it down to a problem with their implementation of reflections (however you define it) then it seems like they need to run some kind of audit wherein all reflective calls in their source tree are singled out and secured. Another advanced concept, "aspect oriented programming", comes to mind.
  Long story short though, it's too clever for its own good. Actually, it also makes me think of why Windows has had such a hard time on the Internet. It was designed first, then the networking was bodged on. Same deal here. Java was just imperative OO first, right? It sounds like they're trying to bodge on Lisp.
  
  --
  For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
4. Re:Why is this so difficult? by barjam · 2013-01-18 09:58 · Score: 1
  
  You don't understand reflection evidently. Reflection is a core feature of languages such as C# and java. You simply can't get rid of it without completely redesigning the language.
  This isn't a problem with reflection as much as sloppy programming. There is zero reason why a competent development team couldn't make reflection perfectly safe.
5. Re:Why is this so difficult? by istartedi · 2013-01-18 12:59 · Score: 1
  
  You don't understand reflection evidently. Reflection is a core feature of languages such as C# and java
  Let's leave specific languages out of it, and discuss reflection in language-neutral terms. AFAICT, it's a vague term that encompasses several things. 1. Reading out the names and types of data members of an object at runtime. 2. Reading out the names of function members of an object at runtime. 3. Reading out the exact *class* of that object at runtime (which would lead you back to 1 and 2, so that's redundant). 4. (the particular thing I think is dangerous if not used CAREFULLY) Adding new members (data or function) to a class at run-time.
  You simply can't get rid of it without completely redesigning the language.
  I was particularly interested in (4) above, and note that I've added CAREFULLY. There are probably a hand full of use cases where you need that. In an object-oriented language you probably can't have "just a function" like you can in C, so adding some code to a class is probably the only way to implement the aforementioned graphing calculator applet.
  OTOH, I maintain that if you have something like a button class that you've been using for 10 years, it's just way too tempting for some junior developer to "solve" problems by injecting new code into it.
  This isn't a problem with reflection as much as sloppy programming. There is zero reason why a competent development team couldn't make reflection perfectly safe.
  Here you seem to be siding with those on this forum who paint the Oracle devs as incompetent. I prefer to reserve judgement. I haven't been digging through Java code. I don't know what kind of maintenance nightmare they inherited.
  Now, not to let this internet communication get too out of hand (as it looks like we're already having the f2f vs. online communication problem here) but another hair that needs to be split is "safe" vs. "sane". It might be possible to make self-modifying code "safe" from a security standpoint; but I'm doubtful about the "sanity" (for "sane", read ability to trace and debug) of it. This doubt comes from debugging C++ code where *data* has accidentally been modified at run-time. That's bad enough; but at least I knew the *code* pages weren't hit.
  
  --
  For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
6. Re:Why is this so difficult? by s1lverl0rd · 2013-01-19 11:05 · Score: 1
  
  Wouldn't mission critical business apps usually run on a server, though, and not inside a sandboxed browser plugin?
Re:blaaaaaaaaaa by Bill_the_Engineer · 2013-01-18 07:20 · Score: 1

Chapter 4: Java does not belong on servers also used for non-java.
Please cite some evidence that the above is true.

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Re:blaaaaaaaaaa by AliasMarlowe · 2013-01-18 07:32 · Score: 1

Chapter 12: Unless you're one of the old fogies with the 360kB disks. Forget that noise, we've got COLOR in our .tiffs now!
Who are you calling "old", sonny?
I'm not that old (far from retirement age), and worked with brand new 140kB and 160kB 5.25" floppy disks on a brand new PC, several years after graduating. Earlier I worked with PDP-8, PDP-11, IBM-360, and DEC-20, which were floppy-free, and cassette-tape systems such as the PET. Even those who recall 80kB 8" floppies, or subsequent 100kB and 110kB 5.25" ones might not be retired yet.

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
If they keep this up... by mandark1967 · 2013-01-18 07:36 · Score: 4, Funny

Adobe is gonna get jealous.

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
1. Re:If they keep this up... by antdude · 2013-01-18 10:38 · Score: 1
  
  Same for MS and others. ;)
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Shouldn't the OS prevent the worst of the damage? by overunder · 2013-01-18 07:41 · Score: 4, Interesting

I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?
For cripes sake... Java Plugin != Java by diarrhea-uh-uh · 2013-01-18 07:46 · Score: 5, Insightful

So sick of these headlines. Java is fine, it's the barely-used-these-days plugin that's the problem. I expect non-techy sites to omit that detail, but come on /. For those preaching that Java should be donated to Apache, give me a break. It's at the core of all "Enterprise Applications'" tech stack. Never gonna happen, nor should it. Best solution would be to decouple the plugin from the Java install and no longer shove it down people's throats.
1. Re:For cripes sake... Java Plugin != Java by amicusNYCL · 2013-01-18 09:15 · Score: 1
  
  Java is fine, it's the barely-used-these-days plugin that's the problem.
  That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows (and also gave the Mac world their first widespread trojan, Flashback). It's just a good thing so few people use it. It's not like it ships with some new computers or anything.
  I'm not suggesting that the major problems with the Java platform are anywhere other than relating to the plugin, but it's pretty disingenuous to say that no one has it. This time next year though, you might be more accurate.
  Now if you mean that there are barely any applets written to use the plugin, then you might be right. But the fact is that a lot of people do have it installed, and it's the malicious applets that people actually are writing that are the issue.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:For cripes sake... Java Plugin != Java by afgam28 · 2013-01-18 09:54 · Score: 2
  
  You're confusing "have" with "use". You can have something installed that you don't use. Many people have the Java applet plugin installed, but few actually use it.
  Knowing this, try reading the gp post again and you'll see it makes perfect sense.
3. Re:For cripes sake... Java Plugin != Java by diarrhea-uh-uh · 2013-01-18 11:04 · Score: 1
  
  Java is fine, it's the barely-used-these-days plugin that's the problem.
  That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows (and also gave the Mac world their first widespread trojan, Flashback). It's just a good thing so few people use it. It's not like it ships with some new computers or anything.
  I'm not suggesting that the major problems with the Java platform are anywhere other than relating to the plugin, but it's pretty disingenuous to say that no one has it. This time next year though, you might be more accurate.
  Now if you mean that there are barely any applets written to use the plugin, then you might be right. But the fact is that a lot of people do have it installed, and it's the malicious applets that people actually are writing that are the issue.
  You just reiterated my point. It's installed by default when you install Java and should not be. Of those infected, how many actually use the browser plugin? Not many...
4. Re:For cripes sake... Java Plugin != Java by diarrhea-uh-uh · 2013-01-18 11:05 · Score: 1
  
  Not just the server side. 90% of apps I use on desktop today is Java.
  90% of what you run on your computer are Java applets? I call BS.
5. Re:For cripes sake... Java Plugin != Java by amicusNYCL · 2013-01-18 11:26 · Score: 1
  
  I would guess that something like WebEx is the single biggest use on the public internet. I'm not sure how many people use it. The Java installer doesn't even give you a choice about what to install, there are no options at all during installation the last time I ran through it (last July).
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:For cripes sake... Java Plugin != Java by ahabswhale · 2013-01-18 15:08 · Score: 1
  
  "That's right, the problem is the plugin that virtually no one uses which, according to Kaspersky, is responsible for at least 50% of infections on Windows..."
  Do you have a source for that because I can't find anything to back it up other than your post.
  
  --
  Are agnostics skeptical of unicorns too?
7. Re:For cripes sake... Java Plugin != Java by amicusNYCL · 2013-01-21 04:49 · Score: 1
  
  I've looked on Kaspersky's site for any source for it, the only places I see it are on third party sites which state it but don't provide a link. I'd like to see a source for it also, the last I heard was that Java was responsible for 37% of infections, and Acrobat 32%. Now Kaspersky says (according to others) that Java is at 50%, and Acrobat at 28%.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Oracle doesn't get security! by onyxruby · 2013-01-18 07:51 · Score: 2, Insightful

I've said time and time again that Oracle doesn't get security, they just don't. They have been pulling things like this for a very long time. I never could have imagined saying this 10 years ago or so, but Oracle, you need to look at Microsoft for some pointers on handling security. Since you probably not willing to do that, I'll spell it out for you:
When you find out about a notable security flaw you need to have a patch ready to go within 60 days.
Meaningful notification. The everyday hacks that run IT need to have reasonable notification of security flaws.
Workarounds. If you can't fix it, that's fine, but give me a workaround or I'm going to start uninstalling your product.
How does it the flaw work? If you can't tell me how it works it means I have to reverse engineer it myself and this annoys me.
The difference between theoretical flaws and something that is broken beyond saving is typically 8-10 years.
The bad guys make a lot of money by counting on you dismissing security concerns.
You need to make it easier to administer updates to your products.
You need to make it easier to limit updates to your products. Why does Java 6 automatically update to 7? This is a bad, bad thing.
From a security standpoint I can't think of anything I would wish for more than the death of Java. Every chance I have to get rid of Java I put in my two cents to do exactly that.
1. Re:Oracle doesn't get security! by ahabswhale · 2013-01-18 15:13 · Score: 1
  
  So I guess Amazon, Mint, Netflix, and eBay are all slow, bloated POS? Yes, some of the largest websites in the world run on Java. Fucking deal with it. At minimum, don't be such a fucking pussy and state what language you think should be used by these large companies.
  
  --
  Are agnostics skeptical of unicorns too?
Documentum in the office here... by erroneus · 2013-01-18 07:57 · Score: 1

... these updates and stuff are not fun.
How good would you be at 'C' right now? by Anonymous Coward · 2013-01-18 08:03 · Score: 1

Java JDK Alpha and Beta (1995). So that puts y'all at about 35, right? Just about ready for the glue factory. Don't worry. They'll come for you dot net / C Sharp burnouts in the next load. Kids are out of diapers, there's some equity in your house and the wife is unhappy, right?
Must mean there is some new 6th generation, socially enabled, no programmers needed, wundercoding coming, along with a new silver bullet development methodology and magical management philosophy, going to pop out of nowhere in the next few months.
Java is not broken by zmooc · 2013-01-18 08:22 · Score: 5, Interesting

The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.

--
0x or or snor perron?!
1. Re:Java is not broken by amicusNYCL · 2013-01-18 09:18 · Score: 1
  
  The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums.
  It sounds like there are quite a few people getting very good use out of the plugin, actually. Not Oracle's "customers", per se, but nonetheless they obviously appear to enjoy it.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Java is not broken by bcrowell · 2013-01-19 09:46 · Score: 1
  
  The only thing broken here is the Java browser plugin made by Oracle, which has no use whatsoever outside of museums. Java is not broken.
  Plenty of people are still using java applets. I use them. They're commonly used in medicine, banking, and law offices.
  Or are you claiming that the version of the browser plugin "made by Oracle" is the only one broken? If so, could you explain what you're basing that claim on? As far as I know, groups like IcedTea use Oracle's code extensively, and all of these bugs are likely to be present in all implementations of the Java 7 applet sandbox.
  
  --
  Find free books.
3. Re:Java is not broken by zmooc · 2013-01-19 11:49 · Score: 1
  
  Yes, yes, I'm aware they're commonly used in medicine, banking and law museums. Since you still use it, I suppose you work in such a museum?
  
  --
  0x or or snor perron?!
Not until WebRTC by Krischi · 2013-01-18 09:21 · Score: 2

No, not video conferencing, you can't. Not until WebRTC is ready.
1. Re:Not until WebRTC by Anonymous Coward · 2013-01-19 05:08 · Score: 1
  
  Video conferencing is entirely possible right now. It is just a lot harder than what Java or WebRTC would provide.
  Audio + Video can be given generated streams of data, which can be requested from a constantly open data stream between client and server, and even 2 clients, or peers if you will. Do the usual timekeepery wizardry to keep things in sync (something that piece of crap Skype doesn't even do!) and you are done.
  Peer2peer in web browser has been there for a couple years now at least, in fact likely longer. I'm sure I remember reading ages ago on here than some researchers made a darknet entirely within a web browser, no software or anything needing installed.
  I also don't think this was one using the Pepper API, which was a more recent development. Not sure what it used again.
  I just wonder how Google and their, uh, Dart was it, will go. (either that or Go)
  It sounds promising as a language from what I heard, but given it is Google, it will die this summer.
  Unless it is being used by a bajillion people, it gets cut.
  Google are as bad as the games industry right now trying to get the "CoD audience" and ruining entire game franchises in attempting to do so.
  In fact, Google are worse. They are outright killing things because they suck at advertising SOMEHOW, DESPITE HAVING A COMPANY BUILT ENTIRELY ON ADVERTISING.
  Hearing them cry over how iGoogle can't be monetized made me almost have a damn stroke at how stupid they are.
  The damn thing we all requested for over a year, the sidebar where the chat can go, has a HUGE space underneath it where ads could go. Do the same thing Gmail does as well with those tiny little ads at the topbar. PROBLEM SOLVED.
  Sorry for that tangent, Google annoy me more than Java, Oracle and Sun combined for being so stupid in the past 5 years. A company that used to be glorious has just died internally. It kinda sucks.
What patches by ArrayIndexOutOfBound · 2013-01-18 09:53 · Score: 1

Why do you keep referring to the latest release as a patch and a bugfix? The only change was in configuration - while before you could run unsigned applers, now you can only run signed ones. No patching / clever bugfixing was involved. And in response to commenter suggesting putting Java-in-browser out of misery, the last 'patch' was designed to do just that. The only way to decently run an applet is to have it signed by expensive code signing certs.
Stahp it! Please, Stahp!!! by mark-t · 2013-01-18 10:08 · Score: 1

These Java exploit announcements are becoming too frequent.... at some point it stops being news and starts being a waste of bandwidth.

--
File under 'M' for 'Manic ranting'
TeamViewer by Anonymous Coward · 2013-01-18 10:38 · Score: 1

Boring, reliable, Teutonic C++ code. No installation required. Get rid of WebEx.
Re:So Niiice by ahabswhale · 2013-01-18 15:00 · Score: 1

Like what? I'm curious what you're superior, unflawed language of choice is.
You are also clearly not a Java developer. I can state unequivocally that Java is very fast and reliable. I won't vouch for Java applets because like 99% of all Java developers, I write server-side Java. FYI...a good portion of the web runs on Java.

--
Are agnostics skeptical of unicorns too?
Oracle thinks of it as an opportunity by amoeba1911 · 2013-01-19 02:05 · Score: 1

to ask people to install ask.com toolbar when they carelessly go through the update. Every idiot I know has ask.com toolbar installed, they have no idea how they got it or what it does, and they don't understand that it redirects their searches to their own shitty web site. It's disgusting, and it's disgusting that Oracle benefits from this.
1. Re:Oracle thinks of it as an opportunity by museumpeace · 2013-01-19 02:57 · Score: 1
  
  OK, I am an idiot. PLEASE show me how to dig that piece of crap out of my browser.
  
  --
  SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
2. Re:Oracle thinks of it as an opportunity by gbjbaanb · 2013-01-19 10:11 · Score: 1
  
  Oracle tells you how (scroll down)
funny, Norton just told me it was safe by museumpeace · 2013-01-19 02:56 · Score: 1

They notified customers last night:

Rest assured, because you have a Norton security software product installed on your computer, you’re protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature. We also recommend that you apply Oracle’s recently released security patch and make sure you are running the most updated version of Java. Thank you for being a valued Norton customer.
I am so glad I have protection.

--
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
hackable equilibrium? by ILongForDarkness · 2013-01-19 05:13 · Score: 1

My work has group policy that removed all Java from everyone's computers. We still didn't get it back so it seems that our IT is cautious enough that they didn't jump on the first patch they saw as an opportunity to give everyone their Java back.
But the quickness of the exploit poses a question to my mind: how much can hackers exploit a system before people just stop using the system? Especially with things like programming languages/frameworks chances are there is an equivalent solution to your problem that runs on a different framework. So how vulnerable can something like Java be before everyone just stops using it to develop there software? I think there must be some sort of equilibrium point where you can hack the system but no so frequently that people completely give up on it.
Ditch the plugin... by the.emmef · 2013-01-19 06:02 · Score: 1

Please don't yell on Java but instead yell on the plugin builders and browsers' handling of plugins. Browser application/native plugins are obsolete and inherently unsafe. If a company cannot come up with a decent JavaScript/HTML5 site, preferrably working over SSL, the site is not trustworthy and should not be visited. Java is a very stable and excellent performing language for real applications and specifically server applications. Though Oracle is wokring hard to alienate the Java world...
Re:NOT correct by DarkOx · 2013-01-21 00:45 · Score: 1

Yes and no. Macro certainly make it possible to define an objects that can handle any number of data types as inputs simple or otherwise.
What they don't give you that run time duck-typing does is to do something like create a instance of class driver, Fred. Give Fred an argument MaryLoo, an instance of class truck. Later call MaryLoo.Park() and than pass Fred and instance of car, Gina.
In strongly typed language maco's would make it is to create both drivers and truck_drivers; but not both with the same runtime instance. Alternatively driver might be written to accept a instance of automobile; but then both car and truck need to be children of automobile. That probably is the case in any sensible object model dealing with cars and trucks but is not always the case.
More complex situations often leave you facing two classes of objects that don't logically make sense to be derived from a common base class; yet they do share some common functions and properties and you do want to do the same operation on them. Duck-typing lets you decided this thing I have been passed is "enough like" whatever was expected to go on.
An insurance company might insure residences,boats and cars. Maybe a program is being written to see if uses qualify for a total value discount. Depending on what-else the companies libraries do with this data it may or may not make sense for these three classes to roll up to some parent. They all have a .GetLastAppraisalAmt() function. You might want to pass an array of pointers to all the customers owned assets, all the function needs to do is get a total it does not care about anything else. It could just check that every object its passed has .GetLastAppraisalAmt() if it does fine, otherwise raise an exception.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html